[Openid-specs-ab] Fwd: DNS Based OpenID Connect Discovery / Day 2 / Session 1

Mike Schwartz mike at gluu.org
Wed Oct 18 23:59:13 UTC 2017

OpenID Connect gurus,

Please take a moment to provide some feedback to Marcos.

Also, maybe someone remembers why Webfinger was selected in favor of DNS 
in the first place?

- Mike

-------- Original Message --------

Discussed draft created by Marcos Sanz, which can be found here:


1. DNS is already in use for discovery, while Webfinger is used only for 
OpenID Connect.
2. DNS is probably more secure then a web service


1. RP developers will have to support both methods, because some IDP's 
may support one or the other.
2. RP developers will need a DNS client library to resolve discovery, 
versus using a 100% web tools.
3. Webfinger can handle more complex discovery rules, especially where 
email is at the top level, but there may be a number of underlying 
OpenID Providers. For example, let's say there are OP's at us.corp.com, 
emea.corp.com, and china.corp.com.  But... all email for users is at 
___ at corp.com for simplicity. DNS might struggle to implement the 
business logic for this scenario.
4. Oversimplifying a little... in some large enterprise environments, 
coordination with the "DNS department" adds some complexity to a rollout 
where OpenID Connect is primarily an operational concern of the "web 

Although there was a fair amount of skepticism, there did seem to be a 
case for supporting this, as it would be sufficient in the vast number 
of cases, and management of a one-off discovery service is not ideal for 

- Mike

PS: Sorry Marcos about my chromebook / video conferencing challenges. I 
forgot that would be a lot harder when I'm not using my laptop!

More information about the Openid-specs-ab mailing list